sign in sign up
<<
Home , Indiana Attorney General, Josh Kaul

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58 filed 05/23/19 page 1 of 2

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF SOUTH BEND DIVISION

STATE OF INDIANA, et al., ) ) Plaintiffs, ) ) v. ) Cause No. 3:18-CV-969-RLM-MGG ) MEDICAL INFORMATICS ) ENGINEERING, Inc., et al., ) ) Defendants. )

UNOPPOSED MOTION TO APPROVE CONSENT JUDGMENT AND ORDER

Counsel for Plaintiff, State of Indiana, respectfully requests that the Court approve the

Consent Judgement and Order, attached hereto as Exhibit A. In support hereof, the State of Indiana

states:

1. Plaintiffs have negotiated the injunctive terms with Defendants.

2. Plaintiffs have shared its documents with Defendants and completed minor edits.

3. The Attorneys for the States of Connecticut, Michigan, Tennessee, and West Virginia

intend to appear pro hac vice prior to the approval of the Consent Judgment and Order

attached hereto as Exhibit A.

4. Counsel for Plaintiffs has spoken with counsel for Defendants and they have

no objection to this request.

5. Based on the foregoing, Plaintiffs respectfully requests the Consent Judgment and Order

attached hereto as Exhibit A be approved by the Court.

1

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58 filed 05/23/19 page 2 of 2

Respectfully submitted,

Dated: May 23, 2019 /s/ Michael A. Eades

Michael A. Eades, Atty. No. 31015-49 Office of the 302 W. Washington St., 5 th Floor , IN 46204 317-234-6681 (tel) 317-232-7979 (fax) [email protected]

CERTIFICATE OF SERVICE

I certify that on May 23, 2019 a copy of this document was served on all counsel of record by operation of the Court’s electronic filing system.

/s/ Michael A. Eades Michael A. Eades, Deputy Attorney General Data Privacy and Identity Theft Unit Office of the Indiana Attorney General

2

USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 1 of 26

Exhibit A USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 2 of 26

1 IN THE UNITED STATES DISTRICT COURT 2 FOR THE NORTHERN DISTRICT OF INDIANA SOUTH BEND DIVISION 3

4 The States of Arizona; Arkansas; Connecticut; Case No.:3:18-cv-969-RLM-MGG Florida; Indiana; Iowa; Kansas; Kentucky; 5 Louisiana; Michigan; Minnesota; Nebraska; 6 North Carolina; Tennessee; West Virginia; and , 7 Plaintiffs; 8 vs. 9

10 Medical Informatics Engineering, Inc. d/b/a Enterprise Health, LLC and K&L Holdings, and 11 NoMoreClipboard, LLC , 12 Defendants.

13 14 CONSENT JUDGMENT AND ORDER 15 This Consent Judgment and Order (“Consent Judgment” or “Order”) is entered into 16 between plaintiffs, the States of Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, 17

18 Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West

19 Virginia, and Wisconsin (collectively, “Plaintiffs” or the “States”); and defendants Medical

20 Informatics Engineering, Inc., and NoMoreClipboard, LLC, including all of their subsidiaries, 21 affiliates, agents, representatives, employees, successors, and assigns (collectively, “Defendants” 22 and, together with the States, the “Parties”). 23

24 This Order resolves the Plaintiffs’ investigation and litigation of the events described in

25 the previously-filed Amended Complaint in this action regarding Defendants’ compliance with

26 the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 27 1936, as amended by the Health Information Technology for Economic and Clinical Health Act, 28 1 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 3 of 26

1 Pub. L. No. 111-5, 123 Stat. 226 (“HIPAA”); state deceptive trade practices acts; state personal

2 information protection acts (“PIPAs”); and state breach notification acts (collectively, the 3 “Relevant Laws”), as follows: 4 State Deceptive Acts Data Breach PIPA 5 Arizona: Ariz. Rev. Stat. § 44- 6 1521 et seq . Arkansas: Ark. Code § 4-88-101 Ark. Code § 4-110-105 Ark. Code § 4- 7 et seq. 110-101 et seq. 8 Connecticut: Conn. Gen. Stat. § 42- Conn. Gen. Stat. § 36a- Conn. Gen. Stat. § 110b, et seq . 701b 42-471 9 Florida: Chapter 501, Part II, Section 501.171, Florida Section 501.171, Florida Statutes Statutes Florida Statutes 10 Indiana: Ind. Code §§ 24-5-0.5- Ind. Code § 24- 11 4(C), and 24-5-0.5-4(G) 4.9-3-3.5(f) Iowa: Iowa Code § 714.16 Iowa Code § 715c.2 12 Kansas: Kan. Stat. §§ 50-632, Kan. Stat. § 50-7a02 Kan. Stat. § 50- 13 and 50-636 6139b 14 Kentucky: Ky. Rev. Stat. §§ 367.110-.300, and 15 367.990 Louisiana: La. Rev. Stat. § La. Rev. Stat. 51:3071 et 16 51:1401 et seq. seq. 17 Michigan: Mich. Comp. Laws § Mich. Comp. Laws § 445.901 et seq . 445.72(13) 18 Minnesota: Minn. Stat. §§ 325D.43 Minn. Stat. § 325E.61 et seq. ; Minn. Stat. §§ 19 325F.68 et seq. 20 Nebraska: Neb. Rev. Stat. §§ 59- Neb. Rev. Stat. § 87-806 1602; 59-1608, 59- 21 1614, and 87-301 22 North N.C. Gen. Stat. § 75- N.C. Gen. Stat. § 75-65 N.C. Gen. Stat. § Carolina: 1.1, et seq . 75-60, et seq . 23 Tennessee: Tenn. Code § 47-18- Tenn. Code Ann. § 47-18- Tenn. Code §§ 47- 24 101 et seq. 2107 18-2110 West W.Va. Code §§ 46A-1- 25 Virginia: 101 et seq ., 46A-7-108, 26 and 46A-7-111 Wisconsin: Wis. Stat. §§ 93.20, Wis. Stat. § 134.98 Wis. Stat. §§ 27 100.18, and 100.26 146.82 and 146.84(2)(b) 28 2 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 4 of 26

1

2 I. THE PARTIES 3 1. Plaintiffs are charged with, among other things, enforcement of the Relevant 4 Laws of their respective States. Plaintiffs, pursuant to 42 U.S.C. § 1320d-5(d), may also enforce 5

6 HIPAA.

7 2. Defendant Medical Informatics Engineering, Inc. (“MIE”) is a domestic

8 corporation with headquarters located at 6302 Constitution Drive, Fort Wayne, Indiana, 46804. 9 3. Defendant NoMoreClipboard, LLC (“NMC”) is a wholly-owned subsidiary of 10 Medical Informatics Engineering, Inc., headquartered at 6312 Constitution Drive, Fort Wayne, 11

12 Indiana, 46804.

13 II. JURISDICTION

14 4. The Court has jurisdiction over the subject matter and over the Parties for the 15 purpose of entering into this Consent Judgment. The Court retains jurisdiction for the purpose of 16 enabling the Parties to apply to the Court at any time for such further orders and relief as may be 17

18 necessary for the construction, modification, enforcement, execution or satisfaction of this

19 Consent Judgment.

20 5. At all times relevant to this matter, Defendants were engaged in trade and 21 commerce affecting consumers in the States insofar as Defendants provided electronic health 22 records services to health care providers in the States. Defendants also maintained a website for 23

24 patients and client health care providers located in the States.

25

26 27

28 3 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 5 of 26

1 III. FINDINGS

2 6. The States allege that Defendants engaged in conduct in violation of the Relevant 3 Laws set forth above, which the Defendants deny. 4 7. The Court has reviewed the terms of this Consent Judgment and based upon the 5

6 Parties’ agreement and for good cause shown

7 IT IS HEREBY ORDERED, ADJUDGED AND AGREED AS FOLLOWS:

8 IV. EFFECTIVE DATE 9 8. This Consent Judgment shall be effective on the date it is entered by the Court. 10 V. DEFINITIONS 11 12 9. “Administrative Safeguards” shall be defined in accordance with 45 C.F.R. §

13 164.304 and are administrative actions, and policies and procedures, to manage the selection,

14 development, implementation, and maintenance of security measures to protect Electronic 15 Protected Health Information and to manage the conduct of the covered entity’s or business 16 associate’s workforce in relation to the protection of that information. 17

18 10. “Business Associate” shall be defined in accordance with 45 C.F.R. § 160.103

19 and is a person or entity that provides certain services to or performs functions on behalf of

20 covered entities, or other business associates of covered entities, that require access to Protected 21 Health Information. 22 11. “Covered Entity” shall be defined in accordance with 45 C.F.R. § 160.103 and is 23

24 a health care clearinghouse, health plan, or health care provider that transmits health information

25 in electronic form in connection with a transaction for which the U.S. Department of Health and

26 Human Services has adopted standards. 27

28 4 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 6 of 26

1 12. “Data Breach” shall mean the data theft from MIE’s and NMC’s computer system

2 occurring in or about May 2015. 3 13. “Electronic Protected Health Information” or “ePHI” shall be defined in 4 accordance with 45 C.F.R. § 160.103. 5

6 14. “Generic account” shall be defined as an account assigned for a specific role that

7 can be used by unidentified persons or multiple persons. Generic account shall not include

8 service accounts. 9 15. “Minimum Necessary Standard” shall refer to the requirements of the Privacy 10 Rule that, when using or disclosing Protected Health Information or when requesting Protected 11

12 Health Information from another Covered Entity or Business Associate, a Covered Entity or

13 Business Associate must make reasonable efforts to limit Protected Health Information to the

14 minimum necessary to accomplish the intended purpose of the use, disclosure, or request as 15 defined in 45 C.F.R. § 164.502(b) and § 164.514(d). 16 16. “Privacy Rule” shall refer to the HIPAA Regulations that establish national 17

18 standards to safeguard individuals’ medical records and other Protected Health Information,

19 including ePHI, that is created, received, used, or maintained by a Covered Entity or Business

20 Associate that performs certain services on behalf of the Covered Entity, specifically 45 C.F.R. 21 Part 160 and 45 C.F.R. Part 164, Subparts A and E. 22 17. “Protected Health Information” or “PHI” shall be defined in accordance with 45 23

24 C.F.R. § 160.103.

25 18. “Security Incident” shall be synonymous with “Intrusion” and shall be defined as

26 the attempted or successful unauthorized access, use, disclosure, modification, or destruction of 27

28 5 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 7 of 26

1 information or interference with system operations in an information system in accordance with

2 45 C.F.R. § 164.304. 3 19. “Security Rule” shall refer to the HIPAA Regulations that establish national 4 standards to safeguard individuals’ Electronic Protected Health Information that is created, 5

6 received, used, or maintained by a Covered Entity or Business Associate that performs certain

7 services on behalf of the Covered Entity, specifically 45 C.F.R. Part 160 and 45 C.F.R. Part 164,

8 Subparts A and C. 9 20. “Technical Safeguards” shall be defined in accordance with 45 C.F.R. § 164.304 10 and means the technology and the policy and procedures for its use that protect Electronic 11

12 Protected Health Information and control access to it.

13 VI. FACTUAL BACKGROUND

14 21. MIE is a third-party provider that licenses a web-based electronic health record 15 application, known as WebChart, to healthcare providers. NMC provides or has provided patient 16 portal and personal health records services to healthcare providers that enable patients to access 17

18 and manage their electronic health records.

19 22. At all relevant times, MIE and NMC were Business Associates within the

20 meaning of HIPAA. 21 23. As Business Associates, Defendants are required to comply with HIPAA’s 22 requirements governing the privacy and security of individually identifiable health information, 23

24 as set forth in the Privacy and Security Rules.

25 24. Plaintiffs’ investigation determined that Defendants, as described in the Amended

26 Complaint, engaged in multiple violations of the Relevant Laws and the regulations promulgated 27 thereunder. Plaintiffs and Defendants have agreed to the Court’s entry of this Final Consent 28 6 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 8 of 26

1 Judgment and Order without trial or adjudication of any issue of fact or law, and without

2 admission of any facts alleged or liability of any kind. The Parties have reached an agreement 3 hereby resolving the issues in dispute without the need for further court action. As evidenced by 4 their signatures below, the Parties consent to the entry of this Consent Judgment and without an 5

6 admission of liability or wrongdoing with regard to this matter.

7 25. Plaintiffs incorporate by reference all the assertions in the Amended Complaint as

8 if asserted herein. 9 VII. INJUNCTIVE PROVISIONS 10 WHEREFORE, TO PROTECT CONSUMERS AND ENSURE FUTURE 11

12 COMPLIANCE WITH THE LAW:

13 26. Defendants shall comply with all Administrative and Technical Safeguards and

14 implementation specifications required by HIPAA. 15 27. Defendants shall comply with the States’ deceptive trade practices acts in 16 connection with their collection, maintenance, and safeguarding of consumers’ personal and 17

18 Protected Health Information, and maintain reasonable security policies and procedures to

19 protect such information.

20 28. Defendants shall comply with the States’ breach notification acts. 21 29. Defendants shall comply with the States’ PIPAs. 22 30. Defendants shall not make any representation that has the capacity, tendency, or 23

24 effect of deceiving or misleading consumers in connection with the safeguarding of ePHI.

25 31. Defendants shall implement and maintain an information security program that

26 shall be written and shall contain administrative, technical, and physical safeguards appropriate 27 to: (i) the size and complexity of Defendants’ operations; (ii) the nature and scope of 28 7 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 9 of 26

1 Defendants’ activities; and (iii) the sensitivity of the personal information that Defendants

2 maintain. It shall be the responsibility of the Privacy Officer or other designated individual to 3 maintain, promulgate, and update the policies and procedures necessary to implement the 4 information security program. 5

6 32. Defendants shall not employ the use of generic accounts that can be accessed via

7 the Internet.

8 33. Defendants shall ensure that no generic account on its information system has 9 administrative privileges. 10 34. Defendants shall require multi-factor authentication to access any portal they 11

12 manage in connection with their maintenance of ePHI.

13 35. Defendants shall implement and maintain a Security Incident and Event

14 Monitoring solution to detect and respond to malicious attacks. The Security Incident and Event 15 Monitoring solution may utilize a suite of different solutions and tools to detect and respond to 16 malicious attacks rather than a single solution. 17

18 36. Defendants shall implement and maintain reasonable measures to prevent and

19 detect SQL injection attacks that may impact any ePHI they maintain.

20 37. Defendants shall implement and maintain reasonable measures with respect to the 21 creation of accounts in systems under the administrative control of Defendants with respect to 22 their own employees with access to ePHI to limit and control their creation and ensure that 23

24 accounts with access to such ePHI are properly monitored. Defendants shall implement and

25 maintain a data loss prevention technology to detect and prevent unauthorized data exfiltration.

26 The data loss prevention technology may utilize a suite of different solutions and tools to detect 27 and prevent unauthorized data exfiltration. 28 8 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 10 of 26

1 38. Defendants shall require the use of multi-factor authentication by their employees

2 when remotely accessing their system(s) that store or permit access to ePHI. 3 39. Defendants shall maintain reasonable policies and procedures to ensure that logs 4 of system activity are regularly and actively reviewed and analyzed in as close to real-time as 5

6 possible.

7 40. Defendants shall implement and maintain password policies and procedures

8 related to their employees requiring the use of strong, complex passwords, and ensuring the 9 stored passwords are protected from unauthorized access. 10 41. Defendants shall educate their clients on strong password policies and promote 11

12 the use of multi-factor authentication by their clients. Defendants shall make the use of multi-

13 factor authentication as well as Single Sign On (SSO) functions available to their clients.

14 42. Defendants shall implement and maintain appropriate policies and procedures to 15 respond to Security Incidents. 16 43. Defendants shall, at least annually, train relevant employees regarding their 17

18 information privacy and security policies, and shall document such training.

19 44. Defendants shall, within ninety (90) days of the Effective Date of this Consent

20 Judgment, and thereafter annually for a period of five (5) additional years, engage an 21 independent third-party professional who uses procedures and standards generally accepted in 22 the profession to conduct a current, comprehensive, and thorough risk analysis of security risks 23

24 and vulnerabilities to ePHI that they create, receive, maintain, or transmit, including a review of

25 the actions or deficiencies that are the subject of the Consent Judgment. A professional qualified

26 to conduct such risk analysis must be: (a) an individual qualified as a Certified Information 27 System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); or 28 9 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 11 of 26

1 a similarly qualified person or organization; and (b) have at least five (5) years of experience

2 evaluating the effectiveness of computer systems or information system security. Defendants 3 may utilize an independent third-party vendor with which they already have a contractual 4 relationship to conduct the risk analysis, so long as the contract between the parties provides that 5

6 the person or persons performing the analysis on behalf of the independent third-party vendor are

7 qualified as a CISSP or CISA. The independent third-party professional conducting the risk

8 analysis shall prepare a formal report (“Security Report”) including its findings and 9 recommendations, a copy of which shall be provided to the Indiana Attorney General no later 10 than one hundred eighty (180) days after the Effective Date of this Consent Judgment, which the 11

12 Indiana Attorney General may share with the States pursuant to paragraph 56. Each year

13 thereafter, a copy of the Security Report shall be provided to the Indiana Attorney General within

14 thirty (30) days of the anniversary of the completion of the first Security Report, until the 15 expiration of the five (5) year period. 16 45. Within ninety (90) days of their receipt of each Security Report, Defendants shall 17

18 review and, to the extent necessary, revise their current policies and procedures based on the

19 findings of the Security Report. Within one hundred eighty (180) days of Defendants’ receipt of

20 each Security Report, Defendants shall forward to the Indiana Attorney General a description of 21 any action they take and, if no action is taken, a detailed description why no action is necessary, 22 in response to each Security Report. The document submitted to the Indiana Attorney General in 23

24 response to each Security Report shall be titled “MIE Security Action Report,” a copy of which

25 may be shared with the States pursuant to paragraph 56.

26 46. Each Defendant shall designate a Privacy Officer or other official to ensure 27 compliance with this Consent Judgment. The efforts of the Privacy Officer or other designated 28 10 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 12 of 26

1 official in this regard shall be documented in the MIE Security Action Report that is submitted to

2 the Indiana Attorney General and may be shared with the States pursuant to paragraph 56. 3

4 VIII. PAYMENT TO THE STATES

5 47. Defendant shall make payment to the States in the sum total of Nine Hundred 6 Thousand ($900,000.00) dollars, to be paid in three equal installments. 7 a. The first installment shall be remitted on July 1, 2019; 8

9 b. The second installment shall be remitted on July 1, 2020; and

10 c. The third installment shall be remitted on July 1, 2021.

11 48. The money received by the Attorneys General pursuant to this settlement may be 12 used for purposes that may include, but are not limited to, attorneys’ fees, and other costs of 13 investigation and litigation, or be placed in, or applied to, any consumer protection law 14

15 enforcement fund, including future consumer protection or privacy enforcement, consumer

16 education, litigation or local consumer aid fund or revolving fund, used to defray the costs of the

17 inquiry leading hereto, or for other uses permitted by state law, at the sole discretion of the 18 Attorneys General, where applicable, or any purpose allowable under state law. 19 a. The amount payable to the Commonwealth of Kentucky pursuant to paragraph 47 20

21 includes Eight Thousand Ninety ($8,090.00) dollars for the recovery of the Kentucky Attorney

22 General’s reasonable costs of investigation and litigation. This amount is not in addition to, but

23 is part of the amount payable to the Commonwealth of Kentucky. KRS 48.005(4). 24 IX. RELEASE 25 49. Following full payment of the amounts due by Defendants under this Consent 26

27 Judgment, Plaintiffs shall release and discharge Defendants from all civil claims that the States

28 could have brought under the Relevant Laws, based on Defendants’ conduct as set forth in the 11 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 13 of 26

1 Amended Complaint. Nothing contained in this paragraph shall be construed to limit the ability

2 of the States to enforce the obligations that Defendants or their officers, subsidiaries, affiliates, 3 agents, representatives, employees, successors, and assigns have under this Consent Judgment. 4 Further, nothing in the Consent Judgment shall be construed to create, waive, or limit any private 5 1 6 right of action .

7 50. Notwithstanding any term of this Consent Judgment, any and all of the following

8 forms of liability are specifically reserved and excluded from the release in paragraph 49 as to 9 any entity or person, including Defendants: 10 a. Any criminal liability that any person or entity, including Defendants, has or may 11

12 have to the States.

13 b. Any civil liability or administrative liability that any person or entity, including

14 Defendants, has or may have to the States under any statute, regulation, or rule not expressly 15 covered by the release in paragraph 25 above, including but not limited to, any and all of the 16 following claims: (i) State or federal antitrust violations; (ii) State or federal securities violations; 17

18 (iii) State insurance law violations; or (iv) State or federal tax claims.

19 X. CONSEQUENCES OF NONCOMPLIANCE

20 51. Defendants represent that they have fully read this Consent Judgment and 21 understand the legal consequences attendant to entering into this Consent Judgment. Defendants 22 understand that any violation of this Consent Judgment may result in any signatory Attorney 23

24 General seeking all available relief to enforce this Consent Judgment, including an injunction,

25

26 1 Consistent with this paragraph, Defendants and the Attorney General of Minnesota agree that as to Minnesota, the Attorney General of Minnesota through this Consent Judgment and Order does not settle, release, 27 or resolve any claim against Defendants or any other person or entity involving any private causes of action, private claims, and private remedies including, but not limited to, private causes of action, private claims, or private 28 remedies provided for under Minn. Stat. § 8.31. 12 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 14 of 26

1 civil penalties, court and investigative costs, attorneys’ fees, restitution, and any other relief

2 provided by the laws of the State or authorized by a court. If any Plaintiff is required to file a 3 petition to enforce any provision of this Judgment against one or more Defendants, the particular 4 Defendant(s) involved in such petition agrees to pay all court costs and reasonable attorneys’ 5

6 fees associated with any successful petition to enforce any provision of this Judgment against

7 such Defendant(s).

8 XI. GENERAL PROVISIONS 9 52. Any failure of Plaintiffs to exercise any of their rights under this Consent 10 Judgment shall not constitute a waiver of their rights hereunder. 11

12 53. Defendants hereby acknowledge that their undersigned representative or

13 representatives are authorized to enter into and execute this Consent Judgment. Defendants are

14 and have been represented by legal counsel and have been advised by their legal counsel of the 15 meaning and legal effect of this Consent Judgment. 16 54. This Consent Judgment shall bind Defendants and their officers, subsidiaries, 17

18 affiliates, agents, representatives, employees, successors, future purchasers, acquiring parties,

19 and assigns.

20 55. Defendants shall deliver a copy of this Consent Judgment to, or otherwise fully 21 apprise, their executive management having decision-making authority with respect to the 22 subject matter of this Consent Judgment within thirty (30) days of the Effective Date. 23

24 56. Defendants assert that the Security Report and the MIE Security Action Report

25 required under this Consent Judgment contain confidential commercial information, confidential

26 financial information, and/or trade secrets, and the States who receive the Security Report or 27 MIE Security Action Report, whether from Defendants or another Attorney General, shall, to the 28 13 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 15 of 26

1 extent permitted under the laws of the States, treat each report as confidential and exempt from

2 disclosure under their respective public records laws. 3 57. The settlement negotiations resulting in this Consent Judgment have been 4 undertaken by Defendants and the States in good faith and for settlement purposes only, and no 5

6 evidence of negotiations or communications underlying this Consent Judgment shall be offered

7 or received in evidence in any action or proceeding for any purpose.

8 58. Defendants waive notice and service of process for any necessary filing relating to 9 this Consent Judgment, and the Court retains jurisdiction over this Consent Judgment and the 10 Parties hereto for the purpose of enforcing and modifying this Consent Judgment and for the 11

12 purpose of granting such additional relief as may be necessary and appropriate. No modification

13 of the terms of this Consent Judgment shall be valid or binding unless made in writing, signed by

14 the Parties, and approved by the Court in which the Consent Judgment is filed, and then only to 15 the extent specifically set forth in such Court’s Order. The Parties may agree in writing, through 16 counsel, to an extension of any time period specified in this Consent Judgment without a court 17

18 order.

19 59. Defendants do not object to ex parte submission and presentation of this Consent

20 Judgment by the Plaintiff to the Court, and do not object to the Court’s approval of this Consent 21 Judgment and entry of this Consent Judgment by the clerk of the Court. 22 60. The Parties agree that this Consent Judgment does not constitute an approval by 23

24 Plaintiffs of any of Defendants’ past or future practices, and Defendants shall not make any

25 representation to the contrary.

26 61. The requirements of the Consent Judgment are in addition to, and not in lieu of, 27 any other requirements of state or federal law. Nothing in this Order shall be construed as 28 14 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 16 of 26

1 relieving Defendants of the obligation to comply with all local, state, and federal laws,

2 regulations, or rules, nor shall any of the provisions of the Consent Judgment be deemed as 3 permission for Defendants to engage in any acts or practices prohibited by such laws, 4 regulations, or rules. 5

6 62. This Consent Judgment shall not create a waiver or limit Defendants’ legal rights,

7 remedies, or defenses in any other action by any of the Plaintiffs, except an action to enforce the

8 terms of this Consent Judgment or to demonstrate that Defendants were on notice as to the 9 allegations contained herein. 10 63. This Consent Judgment shall not waive Defendants’ right to defend themselves, 11

12 or make argument in, any other matter, claim, or suit, including, but not limited to, any

13 investigation or litigation relating to the subject matter or terms of the Consent Judgment, except

14 with regard to an action by any of the Plaintiffs to enforce the terms of this Consent Judgment. 15 64. This Consent Judgment shall not waive, release, or otherwise affect any claims, 16 defenses, or position that Defendants may have in connection with any investigations, claims, or 17

18 other matters not released in this Consent Judgment.

19 65. Defendants shall not participate directly or indirectly in any activity to form or

20 proceed as a separate entity or corporation for the purpose of engaging in acts prohibited in this 21 Consent Judgment or for any other purpose which would otherwise circumvent any part of this 22 Consent Judgment. 23

24 66. If any clause, provision, or section of this Consent Judgment shall, for any reason,

25 be held illegal, invalid, or unenforceable, such illegality, invalidity, or unenforceability shall not

26 affect any other clause, provision, or section of this Consent Judgment and this Consent 27

28 15 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 17 of 26

1 Judgment shall be construed and enforced as if such illegal, invalid, or unenforceable clause,

2 section, or other provision had not been contained herein. 3 67. Unless otherwise prohibited by law, any signatures by the Parties required for 4 entry of this Consent Judgment may be executed in counterparts, each of which shall be deemed 5

6 an original, but all of which shall be considered one and the same Consent Judgment.

7 68. To the extent that there are any, Defendants agree to pay all court costs associated

8 with the filing of this Consent Judgment. 9 XII. NOTICES UNDER THIS CONSENT JUDGMENT 10 69. Any notices or other documents required to be sent to the Parties pursuant to the 11

12 Consent Judgment shall be sent by United States Mail, Certified Return Receipt Requested, or

13 other nationally recognized courier service that provides tracking services and identification of

14 the person signing for the documents. The notices and/or documents required to be submitted to: 15

16 Douglas S. Swetnam (IN State Bar #15860-49) Section Chief – Data Privacy & ID Theft Unit 17 Office of Attorney General Jr. 18 302 W. Washington St., 5th Floor Indianapolis, IN 46204 19 Email: [email protected] Telephone: (317) 232-6294 20 21 Michael A. Eades (IN State Bar #31015-49) Deputy Attorney General 22 Office of Attorney General Curtis Hill, Jr. 302 W. Washington St., 5th Floor 23 Indianapolis, IN 46204 24 Email: [email protected] Telephone: (317) 234-6681 25

26 27

28 16 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 18 of 26

1 John C. Gray (Pro Hac Vice) Assistant Attorney General 2 Office of Attorney General 3 2005 N. Central Ave. Phoenix, AZ 85004 4 Email: [email protected] Telephone: (602) 542-7753 5 Attorney for Plaintiff State of Arizona 6 Peggy Johnson (Pro Hac Vice) 7 Assistant Attorney General Office of Attorney General 8 323 Center St., Suite 200 9 Little Rock, AR 72201 Email: [email protected] 10 Telephone: (501) 682-8062 Attorney for Plaintiff State of Arkansas 11 12 Michele Lucan (Pro Hac Vice) Assistant Attorney General 13 Office of Attorney General 110 Sherman Street 14 Hartford, CT 06105 15 Email: [email protected] Telephone: (860) 808-5440 16 Attorney for Plaintiff State of Connecticut

17 Patrice Malloy (Pro Hac Vice) 18 Bureau Chief, Multistate and Privacy Bureau Florida Office of the Attorney General 19 110 SE 6th Street Fort Lauderdale, FL 33301 20 (954) 712-4669 21 [email protected]

22 Diane Oates (Pro Hac Vice) Assistant Attorney General 23 Florida Office of the Attorney General 24 110 Southeast 6th Street Fort Lauderdale, FL 33301 25 Email: [email protected] Telephone: (954) 712-4603 26 Attorney for Plaintiff State of Florida 27

28 17 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 19 of 26

1 William Pearson (Pro Hac Vice) Assistant Attorney General 2 Office of Attorney General 3 1305 E. Walnut, 2nd Floor Des Moines, IA 50319 4 Email: [email protected] Telephone: (515) 281-3731 5 Attorney for Plaintiff State of Iowa 6 Sarah Dietz (Pro Hac Vice) 7 Assistant Attorney General Office of Attorney General 8 120 S.W. 10th Ave., 2nd Floor 9 Topeka, KS 66612 Email: [email protected] 10 Telephone: (785) 296-3751 Attorney for Plaintiff State of Kansas 11 12 Kevin R. Winstead (Pro Hac Vice) Assistant Attorney General 13 Office of Attorney General Andy Beshear 1024 Capital Center Drive 14 Frankfort, KY 40601 15 Email: [email protected] Telephone: (502) 696-5389 16 Attorney for Plaintiff Commonwealth of Kentucky

17 Alberto A. De Puy (Pro Hac Vice) 18 Assistant Attorney General Office of Attorney General 19 1885 N. Third St. Baton Rouge, LA 70802 20 Email: [email protected] 21 Telephone: (225) 326-6471

22 L. Christopher Styron (Pro Hac Vice) Assistant Attorney General 23 Office of Attorney General Jeff Landry 24 1885 N. Third St. Baton Rouge, LA 70802 25 Email: [email protected] Telephone: (225) 326-6400 26 Attorneys for Plaintiff State of Louisiana 27

28 18 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 20 of 26

1 Kathy Fitzgerald (Pro Hac Vice) Assistant Attorney General 2 Department of Attorney General 3 Corporate Oversight Division 525 W. Ottawa St., 5th Floor 4 Lansing, MI 48933 Email: [email protected] 5 Telephone: (517) 335-7632 6 Attorney for Plaintiff State of Michigan

7 Jason T. Pleggenkuhle (Pro Hac Vice) Assistant Attorney General 8 Office of Attorney General Lori Swanson 9 Bremer Tower, Suite 1200 445 Minnesota St. 10 St. Paul, MN 55101-2130 Email: [email protected] 11 Telephone: (651) 757-1147 12 Attorney for Plaintiff State of Minnesota

13 Daniel J. Birdsall (Pro Hac Vice) Assistant Attorneys General 14 Office of Attorney General Doug Peterson 15 2115 State Capitol PO Box 98920 16 Lincoln, NE 68509 Email: [email protected] 17 Telephone: (402) 471-1279 18 Attorney for Plaintiff State of Nebraska

19 Kimberley A. D’Arruda (Pro Hac Vice) Special Deputy Attorney General 20 North Carolina Department of Justice 21 Office of Attorney General Joshua H. Stein P.O. Box 629 22 Raleigh, NC 27602-0629 Email: [email protected] 23 Telephone: (919) 716-6013 24 Attorney for Plaintiff State of North Carolina

25

26 27

28 19 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 21 of 26

1 Carolyn U. Smith (Pro Hac Vice) Senior Assistant Attorney General 2 Office of the Attorney General and Reporter Herbert H. Slatery III 3 P.O. Box 20207 Nashville, TN 37202-0207 4 Email: [email protected] Telephone: (615) 532-2578 5 Attorney for Plaintiff State of Tennessee 6 Tanya L. Godfrey (Pro Hac Vice) 7 Assistant Attorney General Office of the West Virginia Attorney General 8 269 Aikens Center 9 Martinsburg, WV 25404 Email: [email protected] 10 Telephone: (304) 267-0239 Attorney for Plaintiff State of West Virginia 11 12 R. Duane Harlow (Pro Hac Vice) Assistant Attorney General 13 Director, Consumer Protection and Antitrust Unit Wisconsin Department of Justice 14 Office of Attorney General 15 17 W. Main St., P.O. Box 7857 Madison, WI 53707-7857 16 Email: [email protected] Telephone: (608) 266-2950 17 Attorney for Plaintiff State of Wisconsin 18

19 For Medical Informatics Engineering, Inc. and NoMoreClipboard, LLC:

20 Claudia D. McCarron 21 Mullen Coughlin LLC 1275 Drummers Lane, Suite 302 22 Wayne, PA 19087 Email: [email protected] 23 Telephone: (267) 930-4787 24 IT IS SO ORDERED, ADJUDGED AND DECREED, on the ______day of 25 ______20___. 26

27 ______28 Hon. Robert L. Miller, Jr. 20 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 22 of 26

1 Distribution:

2 Claudia D. McCarron 3 Mullen Coughlin LLC 1275 Drummers Lane, Suite 302 4 Wayne, PA 19087 Email: [email protected] 5 Telephone: (267) 930-4787 6 Douglas S. Swetnam (IN State Bar #15860-49) 7 Section Chief – Data Privacy & ID Theft Unit Office of Attorney General Curtis Hill Jr. 8 302 W. Washington St., 5th Floor 9 Indianapolis, IN 46204 Email: [email protected] 10 Telephone: (317) 232-6294

11 Michael A. Eades (IN State Bar #31015-49) 12 Deputy Attorney General Office of Attorney General Curtis Hill, Jr. 13 302 W. Washington St., 5th Floor Indianapolis, IN 46204 14 Email: [email protected] 15 Telephone: (317) 234-6681

16 John C. Gray (Pro Hac Vice) Assistant Attorney General 17 Office of Attorney General Mark Brnovich 18 2005 N. Central Ave. Phoenix, AZ 85004 19 Email: [email protected] Telephone: (602) 542-7753 20 Attorney for Plaintiff State of Arizona 21 Peggy Johnson (Pro Hac Vice) 22 Assistant Attorney General Office of Attorney General Leslie Rutledge 23 323 Center St., Suite 200 24 Little Rock, AR 72201 Email: [email protected] 25 Telephone: (501) 682-8062 Attorney for Plaintiff State of Arkansas 26 27

28 21 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 23 of 26

1 Michele Lucan (Pro Hac Vice) Assistant Attorney General 2 Office of Attorney General William Tong 3 55 Elm St., P.O. Box 120 Hartford, CT 06141-0120 4 Email: [email protected] Telephone: (860) 808-5020 5 Attorney for Plaintiff State of Connecticut 6 Patrice Malloy (Pro Hac Vice) 7 Bureau Chief, Multistate and Privacy Bureau Florida Office of the Attorney General 8 110 SE 6th Street 9 Fort Lauderdale, FL 33301 (954) 712-4669 10 [email protected]

11 Diane Oates (Pro Hac Vice) 12 Assistant Attorney General Florida Office of the Attorney General 13 110 Southeast 6th Street Fort Lauderdale, FL 33301 14 Email: [email protected] 15 Telephone: (954) 712-4603 Attorneys for Plaintiff State of Florida 16 William Pearson (Pro Hac Vice) 17 Assistant Attorney General 18 Office of Attorney General Tom Miller 1305 E. Walnut, 2nd Floor 19 Des Moines, IA 50319 Email: [email protected] 20 Telephone: (515) 281-3731 21 Attorney for Plaintiff State of Iowa

22 Sarah Dietz (Pro Hac Vice) Assistant Attorney General 23 Office of Attorney General Derek Schmidt 24 120 S.W. 10th Ave., 2nd Floor Topeka, KS 66612 25 Email: [email protected] Telephone: (785) 368-6204 26 Attorney for Plaintiff State of Kansas 27

28 22 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 24 of 26

1 Kevin R. Winstead (Pro Hac Vice) Assistant Attorney General 2 Office of Attorney General Andy Beshear 3 1024 Capital Center Drive Frankfort, KY 40601 4 Email: [email protected] Telephone: (502) 696-5389 5 Attorney for Plaintiff Commonwealth of Kentucky 6 Alberto A. De Puy (Pro Hac Vice) 7 Assistant Attorney General Office of Attorney General Jeff Landry 8 1885 N. Third St. 9 Baton Rouge, LA 70802 Email: [email protected] 10 Telephone: (225) 326-6471

11 L. Christopher Styron (Pro Hac Vice) 12 Assistant Attorney General Office of Attorney General Jeff Landry 13 1885 N. Third St. Baton Rouge, LA 70802 14 Email: [email protected] 15 Telephone: (225) 326-6400 Attorneys for Plaintiff State of Louisiana 16 Kathy Fitzgerald (Pro Hac Vice) 17 Assistant Attorney General 18 Department of Attorney General Dana Nessel Corporate Oversight Division 19 525 W. Ottawa St., 5th Floor Lansing, MI 48933 20 Email: [email protected] 21 Telephone: (517) 335-7632 Attorney for Plaintiff State of Michigan 22 Jason T. Pleggenkuhle (Pro Hac Vice) 23 Assistant Attorney General 24 Office of Attorney General Bremer Tower, Suite 1200 25 445 Minnesota St. St. Paul, MN 55101-2130 26 Email: [email protected] 27 Telephone: (651) 757-1147 Attorney for Plaintiff State of Minnesota 28 23 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 25 of 26

1 Daniel J. Birdsall (Pro Hac Vice) Assistant Attorneys General 2 Office of Attorney General Doug Peterson 3 2115 State Capitol PO Box 98920 4 Lincoln, NE 68509 Email: [email protected] 5 Telephone: (402) 471-1279 6 Attorney for Plaintiff State of Nebraska

7 Kimberley A. D’Arruda (Pro Hac Vice) Special Deputy Attorney General 8 North Carolina Department of Justice 9 Office of Attorney General Joshua H. Stein P.O. Box 629 10 Raleigh, NC 27602-0629 Email: [email protected] 11 Telephone: (919) 716-6013 12 Attorney for Plaintiff State of North Carolina

13 Carolyn U. Smith (Pro Hac Vice) Senior Assistant Attorney General 14 Office of the Attorney General Herbert Slattery III 15 P.O. Box 20207 Nashville, TN 37202 16 Email: [email protected] Telephone: (615) 532-2578 17 Attorney for Plaintiff State of Tennessee 18 Tanya L. Godfrey (Pro Hac Vice) 19 Assistant Attorney General Office of Attorney General Patrick Morrisey 20 P.O. Box 1789 21 Charleston, WV 25326 Email: [email protected] 22 Telephone: (304) 558-8986 Attorney for Plaintiff State of West Virginia 23 24

25

26 27

28 24 USDC IN/ND case 3:18-cv-00969-RLM-MGG document 58-1 filed 05/23/19 page 26 of 26

1 R. Duane Harlow (Pro Hac Vice) Assistant Attorney General 2 Director, Consumer Protection and Antitrust Unit 3 Wisconsin Department of Justice Office of Attorney General Josh Kaul 4 17 W. Main St., P.O. Box 7857 Madison, WI 53707-7857 5 Email: [email protected] 6 Telephone: (608) 266-2950 Attorney for Plaintiff State of Wisconsin 7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28 25